CAPEC-579: Replace Winlogon Helper DLL

Description

Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.

Extended Description

In the case of network based reporting of indicators, an adversary may block traffic associated with reporting to prevent central station analysis. This may be accomplished by many means such as stopping a local process to creating a host-based firewall rule to block traffic to a specific server.

In the case of local based reporting of indicators, an adversary may block delivery of locally-generated log files themselves to the central repository.

Severity :

Possibility :

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-542: Targeted Malware Targeted Malware

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Boot or Logon Autostart Execution: Winlogon helper DLL

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-15: External Control of System or Configuration Setting

Visit http://capec.mitre.org/ for more details.